Setting Up Windows Environment to Configure Kerberos KDC

The steps provided in this section have been verified on the Windows 2016 server.

To set up your Windows environment to configure Kerberos KDC, do the following:

  1. If you have not deployed the Active Directory Domain Controller in your environment, then deploy a Windows server and promote the server as the Active Directory Domain Controller. Refer to the Microsoft documentation to perform this activity.

  2. If you have deployed the Active Directory Domain Controller and Intelligence in the same domain, proceed to step 4.

  3. If you have deployed the Active Directory Domain Controller and Intelligence in different domains, add the Active Directory Domain Controller DNS entry in the Kubernetes environment:

    1. Log in to the node in the CDF cluster as a root user and run the following command to edit the DNS-hosts-configmap file:

      kubectl edit cm dns-hosts-configmap -n kube-system

      Your terminal looks as follows:

      apiVersion: v1
      data:
        dns-hosts-key: ""
      kind: ConfigMap
      metadata:
        creationTimestamp: 2018-10-19T05:28:05Z
        name: dns-hosts-configmap
        namespace: kube-system

    2. Update the DNS entries and save the file. This change will take effect in 20 seconds automatically.

      For example, add the following DNS entries:

      dns-hosts-key: |
       192.0.2.0 myhost.mydomain.com
       192.0.2.1 myhost.mydomain2.com

    3. Your terminal looks as follows:

      apiVersion: v1
       data:
        dns-hosts-key: |
         192.0.2.0 myhost.mydomain.com
         192.0.2.1 myhost.mydomain.com
       kind: ConfigMap
       metadata:
         creationTimestamp: 2018-10-19T05:28:05Z

  4. (Recommended) Perform the following steps to ensure that you select strong encryption algorithm types for Kerberos in the Active Directory Domain controller:

    1. In Local Group Policy Editor, navigate to the following location:

      Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2. Select Network Security: Configure encryption types allowed for Kerberos.

    3. Right-click Network Security: Configure encryption types allowed for Kerberos and click Properties.

    4. In the pop-up window, under the Local Security Setting tab, select the following check boxes:

      • AES128_HMAC_SHA1

      • AES256_HMAC_SHA1

      • Future encryption types

    5. Click Apply and then click OK.

    6. Launch the command prompt in the Active Directory Domain Controller and execute the following command to update the global policy:

      /gpupdate
  5. Proceed to Creating Service Principals for Kerberos Ticket Generation in Windows.